Double circulant LCD codes over Z4

Finite Fields and Their Applications 58 (2019) 133–144

Contents lists available at ScienceDirect

Finite Fields and Their Applications www.elsevier.com/locate/ffa

Double circulant LCD codes over Z4 ✩ Minjia Shi a , Daitao Huang a , Lin Sok a,b , Patrick Solé c a

School of Mathematical Sciences, Anhui University, Hefei, Anhui, 230601, China Department of Mathematics, Royal University of Phnom Penh, 12156 Phnom Penh, Cambodia c Aix Marseille University, CNRS, Centrale Marseille, I2M, Marseille, France b

a r t i c l e

i n f o

Article history: Received 11 August 2018 Received in revised form 9 March 2019 Accepted 4 April 2019 Available online xxxx Communicated by W. Cary Huffman

a b s t r a c t The codes in the title are studied with respect to existence, enumeration and asymptotic performance. Their Gray images are shown to satisfy a modified Gilbert-Varshamov bound. Explicit counting formulas are derived. Examples of modest lengths are given where Gray images of LCD Z4 -codes outperform the best known binary linear LCD codes. © 2019 Elsevier Inc. All rights reserved.

MSC: primary 94B65 secondary 13K05, 13.95 Keywords: Z4 -codes Double circulant Self-dual LCD Boolean Masking

✩ This research is supported by National Natural Science Foundation of China (61672036), Excellent Youth Foundation of Natural Science Foundation of Anhui Province (No. 1808085J20, 1908085MA04) and Provincial Natural Science Research Project of Anhui Colleges (No. KJ2018A0030). E-mail addresses: [email protected] (M. Shi), [email protected] (D. Huang), [email protected] (L. Sok), [email protected] (P. Solé).

https://doi.org/10.1016/j.ffa.2019.04.001 1071-5797/© 2019 Elsevier Inc. All rights reserved.

134

M. Shi et al. / Finite Fields and Their Applications 58 (2019) 133–144

1. Introduction Binary double circulant codes have been known to be asymptotically good since 1969 [7]. More recently, this result was extended to double circulant codes over Fq , for any q, and refined for the self-dual subclass [1]. A key ingredient in the proof was the CRT approach to quasi-cyclic codes introduced in [13], which reduces the study of quasi-cyclic codes to the study of shorter codes over larger alphabets. Thus the study of double circulant codes over fields reduces to the study of codes of length 2 over extensions of the alphabet field. In the present paper, we consider double circulant codes over the ring Z4 , following the same approach over rings [14]. We focus on the subclass of such codes that are Linear Complementary Dual (LCD for short). LCD codes are defined as linear codes that are intersecting their duals trivially. They were introduced by Massey in 1992 [15]. LCD codes have enjoyed a renaissance recently, due to important applications in embarked electronics and Boolean masking [3,4]. They are universal in the sense that for q > 3 every linear code is equivalent to an LCD code [5]. Since binary codes that are Z4 -linear form a superclass of linear codes that enjoy connections with orthogonal arrays (in particular an easily calculated dual distance [2]), it is natural to consider the performance of the LCD subclass. Note that quasi-cyclic codes, of which double circulant form a special case, have been shown to contain good families of LCD codes [9]. We give an exact enumeration of double circulant codes over Z4 of length 2n when the factorization of xn − 1 is arbitrary. When the factorization of xn − 1 for n odd contains only two irreducible factors, a situation which happens for infinitely many primes n if Artin conjecture holds, we have used a random coding argument to derive a lower bound on the relative Lee distance of these codes. For modest values of n, machine calculations give codes that outperform binary linear LCD codes in terms of minimum distance. The material is arranged as follows. The next section compiles the background material necessary to the forthcoming sections, including the connection with Boolean masking. Section 3 develops the algebraic machinery of the CRT approach to quasi-cyclic codes. Section 4 enumerates all LCD double circulant codes of given length. Section 5 contains the asymptotic results. Section 6 tabulates the parameters of LCD double circulant codes of modest length. Section 7 concludes the article, and points out some open problems. 2. Definitions and notations 2.1. Z4 -codes The ring Z4 is the ring of integers modulo 4. A linear code of length N over Z4 is ⊥ a submodule of ZN is understood with respect to the standard inner 4 . The dual C product. A code is self-dual if it is equal to its dual. It is LCD (for linear complementary dual) if it intersects its dual trivially. A Galois ring GR(4, d) is a quotient ring

M. Shi et al. / Finite Fields and Their Applications 58 (2019) 133–144

135

of the form Z4 [x]/(h), where h is a monic basic irreducible polynomial over Z4 with deg(h(x)) = d which reduces to an irreducible polynomial of the same degree over F2. d The Teichmuller set Td = {x ∈ GR(4, d)|x2 = x} is a set of representatives of the residue field F2d  GR(4, d)/(2). In this paper, unless otherwise specified, T plays the role of Td . If x ∈ GR(4, d), let x  denote its image in F2d by reduction modulo (2). It is known that GR(4, d) = T ⊕ 2T (2-adic decomposition of GR(4, d)), and that the group of units of the Galois ring d)× = T ∗ ⊕ 2T , with T ∗ = T \ {0}. √ is GR(4, d−1 For any D ∈ T , let D = D2 . Recall that the Yamada normal form of the sum of A, B ∈ T is the 2-adic decomposition of A + B given by √ √   A + B = A + 2 AB + B + 2 AB.

(1)

See [16, Cor. 6.9] for a proof. The Gray map φ : Z4 → F22 is defined by taking 0, 1, 2, 3 2N to 00, 01, 11, 10. This map extends naturally to a map Φ : ZN 4 → F2 . The Lee weight of N x ∈ Z4 is the Hamming weight of its Gray image φ(x). The Lee distance of x, y ∈ ZN 4 is the Lee weight of x − y. See [10,16] for details and background. 2.2. Binary codes The entropy function is defined for x ∈ (0, 1) by H(x) = −x log2 x − (1 − x) log2 (1 − x). It is the function H2 in [12]. A binary code of length N and pseudo-dimension k is any non void proper subset of F2N with size 2k (note that k may be non-integral). Its minimum distance d is d = min{d(x, y) | x, y ∈ C, x = y}. If C(N ) is a family of (possibly nonlinear) binary codes of parameters (N, 2kN , dN ), the rate R and relative distance δ are defined as R = lim sup

kN , N

δ = lim inf

dN . N

N →∞

and N →∞

Both limits are finite as limits of bounded quantities. Such a family of codes is said to be good if Rδ = 0. If C(N ) = φ(D(N )), for some Z4 -code D(N ), by relative Lee distance of D(N ) we shall mean the relative Hamming distance of C(N ). 2.3. Boolean masking In [3,4] binary LCD codes are used as countermeasure against two sorts of cryptographic attacks, one passive, the other active

136

M. Shi et al. / Finite Fields and Their Applications 58 (2019) 133–144

• Side channel attacks (SCA). • Fault injection attacks (FIA). The masking is based on a direct sum decomposition F2N = C ⊕ D, where C, D are binary codes of length N . It was shown in [3,4] that the security parameters for SCA (resp. FIA) are the minimum Hamming distance of C (resp. minimum Hamming distance of D⊥ ). When the code C is LCD, one may take D = C ⊥ , and these two parameters coincide. When using Z4 -codes the said decomposition becomes ZN 4 = C ⊕ D, where C, D are now Z4 -codes of length N . It can be shown [6] that the security parameters for SCA (resp. FIA) are the minimum Lee distance of C (resp. minimum Lee distance of D⊥ ). In particular, if C is LCD, and D = C ⊥ , these two parameters coincide. Note that the minimum Lee distance of D⊥ is the one plus the strength of φ(D), viewed as an orthogonal array [2]. 3. Preliminaries Assume n is odd, consider the ring R4 (n) = Z4 [x]/(xn − 1). We assume in the whole paper, except Section 4, that xn − 1 = (x − 1)h(x) has only two irreducible factors over Z4 [x]. This can be achieved as follows. If 2 is primitive modulo a prime n then by the theory of cyclotomic cosets, xn + 1 has only two factors over F2 . It is immediate that the hypothesis n prime is necessary. By Hensel lifting [16, Prop. 5.12], this factorization can be lifted over Z4 as xn − 1 = (x − 1)(xn−1 + · · · + x + 1), where the second factor is basic irreducible.  This factorization yields the CRT decomposition R4 (n) = Z4 GR(4, n − 1), where GR(4, n − 1) denotes the Galois ring of characteristic 4 and size 4n−1 . Concretely, if f (x) ∈ R4 (n) then the CRT maps f to the pair (f (1), f (ω)), where ω is a root of h(x). In the following, we will consider codes over Z4 of length 2n with n odd. Here the code C we are considering is a double circulant code whose generator matrix is of the form G = (In , A), where In is the identity matrix of order n and A is a circulant matrix. In polynomial form, this can be written as (1, a(x)), where the x-expansion of a(x) is the first row of A.

M. Shi et al. / Finite Fields and Their Applications 58 (2019) 133–144

137

The CRT decomposition of C induced by the decomposition of R4 (n) is then C =  C1 C2 , where C1 is a code of length 2 over Z4 and C2 is a code of length 2 over the Galois ring GR(4, n − 1). The codes C1 and C2 are called the first and second constituent of C. Write C1 = [1, ζ] with ζ ∈ Z4 , and C2 = [1, α] . Concretely ζ = a(1), and α = a(ω). The element α admits a unique 2-adic decomposition as α = β + 2γ, where β, γ ∈ T . Define the Hermitian conjugation over the Galois ring GR(4, n − 1) as follows. Define a generalized Frobenius map F as F (α) = β 2 + 2γ 2 . The conjugate α of α is F

n−1 2

(α) = β 2

n−1 2

+ 2γ 2

n−1 2

.

This notion of conjugate is induced by the map defined for x ∈ R4 (n) by f (x) → f (xn−1 ) introduced to study the duality of quasi-cyclic codes in [14, §3]. We can then define a Hermitian scalar product on GR(4, n − 1)2 by x · y = x1 y1 + x2 y2 for any x, y ∈ GR(4, n − 1)2 , where x = (x1 , x2 ), y = (y1 , y2 ). If C is a code of length 2 over GR(4, n − 1), then we denote its dual with respect to the preceding scalar product by C ⊥H . Note that if C is a double circulant code with constituents C1 , C2 , then the constituent codes of C ⊥ are C1⊥ and C2⊥H . A more complex definition, valid for the general factorization of xn − 1, is in the proof of Theorem 3 [14]. The following result is of independent interest, which shows that there is no self-dual double-circulant code over Z4 . Lemma 1. The polynomial x2 + 1 has no roots over GR(4, d) for any integer d ≥ 1. In particular, there is no free self-dual (for the Euclidean inner product) code of length 2 over GR(4, d) for any d ≥ 1. Consequently, there is no self-dual (for the Euclidean inner product) double circulant code over GR(4, d) for any d ≥ 1. Proof. If there were such a root, it would be of order 4 in GR(4, d)× . But by [16, Cor. 6.8], the structure of that group is Zd2 × Z2d −1 , which implies that the orders of its elements are either 2 or a divisor of 2d − 1. Contradiction. In particular, a free self-dual code of length 2 would have a generator matrix [1, d], with d2 = −1. Thus, this latter code cannot be the first constituent of a self-dual double circulant code over GR(4, d). 2 We will give the sufficient and necessary condition for the constituent code C2 to be LCD in the following Proposition. Proposition 1. The code C2 is LCD iff 1 + α · α ∈ GR(4, n − 1)× . Proof. “⇐” 1. If α ∈ GR(4, n − 1)× , we then obtain C2⊥H = [1, − α1 ] . Suppose C2 is not LCD, then there exist t, k ∈ GR(n − 1)\{0} such that t(1, α) = k(1, − α1 ). We then obtain t(1 + αα) = 0, which implies t = 0 since 1 + α · α ∈ GR× (4, n − 1). Contradiction!

138

M. Shi et al. / Finite Fields and Their Applications 58 (2019) 133–144

2. If α ∈ GR(4, n − 1)\GR(4, n − 1)× , write α = 2α with α ∈ T . Then we have C2⊥H

 =

2α 0

1 2α



with α ∈ T . Suppose C2 is not LCD, then there exist m, n, l ∈ GR(n − 1) not all zero, such that m(1, 2α ) = n(2α , 1) + l(0, 2α ). That implies

m = 2nα , 2mα = n + 2lα ,

then we obtain m = 0. Contradiction! “⇒” Suppose 1 + α · α ∈ GR(4, n − 1)\GR(4, n − 1)× , then we have 2(1 + α · α) = 0 = 2(1, α) · (1, α), which implies 2(1, α) ∈ C2⊥H . We then obtain 0 = 2(1, α) ∈ C2⊥H ∩ C2 . Contradiction! 2 It is easy to check that C1 = [1, ζ] is LCD with respect to the Euclidean scalar product iff ζ = 0 or 2. By Proposition 1, we have the following result. n−1

Theorem 1. Let u = 2 2 . The constituent code C2 = (1, β + 2γ) is not LCD for the Hermitian scalar product iff 

β 1+u ≡ 1 (mod 2).

n−1

Proof. If u = 2 2 , then GR(4, n − 1)/(2)  F2n−1 = Fu2 . By Proposition 1, the code C2 is not LCD iff 1 + αα ∈ 2GR(4, n − 1) iff 1 + β 1+u + 2(γβ u + γ u β) = T1 + 2T2 with T1 = 0, T2 ∈ T . Computing the Yamada normal form (Equation (1)), we have 1 + β 1+u = 1 + 2



 β 1+u + β 1+u + 2 β 1+u .

Equation (2) becomes 

1+2

β 1+u + β 1+u + 2(γβ u + γ u β +



β 1+u ) = T1 + 2T2 ,

implying in particular  1 + 2 β 1+u + β 1+u = 0, which is equivalent to



β 1+u ≡ 1 (mod 2).

2

(2)

M. Shi et al. / Finite Fields and Their Applications 58 (2019) 133–144

139

3.1. Counting LCD codes when xn − 1 has only two factors Using Proposition 1 and Theorem 1, we can count LCD double circulant Z4 -codes of length 2n. n−1

Theorem 2. Write u = 2 2 . If xn − 1 has only two factors then the number of LCD double circulant codes over Z4 of length 2n is 2(u4 − u3 − u2 ). Proof. By Theorem 1, we know C2 is not LCD iff  β 1+u ≡ 1 (mod 2).  1+u Reducing the equation β 1+u = 1 modulo 2 we derive an equation for β 2 = 1, which  based on the map β → β from T to Fu2 is one-to-one, hence implies the number of β’s, that of β’s, is equal to (1 + u). Thus, the total number of choices for a non LCD code C2 is given by (1 + u)u2 since γ is arbitrary in T . Since the total number of double circulant codes over Z4 is equal to 4n−1 = u4 , we can easily get the number of LCD codes C2 , which is u4 − u3 − u2 . Now C is LCD iff both C1 and C2 are. The number of LCD components C1 is 2, being the number of LCD codes of generator matrix [1, ζ], with ζ ∈ Z4 , and ζ = 0 or 2. Then the result follows. 2 4. Enumeration in the general case This section is not needed for the asymptotic results of the next section. Exceptionally, the polynomial xn − 1 can have more than two factors. Assume that the factorization of xn − 1 into irreducible polynomials over Z4 is of the form xn − 1 = α(x − 1)

s i=2

gi (x)

t

hj (x)h∗j (x),

j=1

where α is a unit in Z4 , gi (x) is a self-reciprocal polynomial of degree 2di , hj (x) is of degree ej and ∗ denotes reciprocation. Lemma 2. For j = 1, 2, . . . , t, denote GR(4, ej ) by R. Let Cj = [1, a] and Cj = [1, b] [x] [x] , b ∈ (hZ∗4(x))  with a ∈ (hZj4(x)) j hj (x) is ej . We then have

Z4 [x] (hj (x))

and the degree of the basic irreducible polynomial



Cj ∩ Cj ⊥ = {0}, Cj ⊥ ∩ Cj = {0},

iff 1 + ab ∈ / 2R.

140

M. Shi et al. / Finite Fields and Their Applications 58 (2019) 133–144

Proof. “⇒” Assume 1 + ab ∈ 2R. We then obtain 2(1 + ab) = 0, which implies 2(1, a) · (1, b) = 0. That is equivalent to 2(1, a) ∈ Cj ⊥ , noting that 2(1, a) ∈ Cj , which is a contradiction with Cj ∩ Cj ⊥ = {0}. “⇐” Assume Cj ∩ Cj ⊥ = {0}. That implies we must have λ ∈ GR(4, ej )\{0} such that λ(1, a)(1, b) = λ(1 + ab) = 0. Discussing on λ we consider the following two cases: (1) λ is a unit, we get 1 + ab = 0, which is a contradiction with 1 + ab ∈ / 2R. ∗ (2) λ is not a unit, writing λ = 2λ1 with λ1 ∈ Tej , we then obtain 1 + ab ∈ 2R, Contradiction! This completes the proof. 2 We can now state and prove the main result of this section. Theorem 3. Let n be an odd integer. Keep the above notation. The number of LCD double circulant codes over Z4 is 2

s

t

(u4i − u3i − u2i )

i=2

(uj 4 − uj 3 + uj 2 ),

j=1

where ui = 2di , uj = 2ej . Proof. We know that Z4 [x] ⊕ R4 (n)  (x − 1) by the CRT. Denote Gi by

 s i=2

Z4 [x] (gi (x)) , 2

Z4 [x] (gi (x))

Hj by



  t Z4 [x] Z4 [x] ⊕ ⊕ ) ( (hj (x)) (h∗j (x)) j=1

Z4 [x] (hj (x))

and Hj by

Z4 [x] . (h∗ j (x))

This decomposition

naturally extends to R4 (n) as R4 (n)  2

Z24

⊕

 s

 G2i

⊕

i=2

 t

(Hj 2



⊕

Hj 2 )

.

j=1

In particular, each R4 (n)-linear code of length 2 can be decomposed as the “CRT sum” C  C1 ⊕

 s i=2

 Ci

⊕

 t

(Cj



⊕

Cj )

,

j=1

where C1 is a linear code over Z4 of length 2, for each 2 ≤ i ≤ s, Ci is a linear code over Gi of length 2, and for each 1 ≤ j ≤ t, Cj is a linear code over Hj of length 2 and Cj is a linear code over Hj of length 2. The codes Ci , Cj , Cj are called the constituents of C.

M. Shi et al. / Finite Fields and Their Applications 58 (2019) 133–144

141

It is shown in [14] that the corresponding decomposition into constituents of the dual code is C ⊥  C1⊥ ⊕

 s

Ci⊥H

 ⊕

i=2

  t (Cj ⊥ ⊕ Cj ⊥ ) , j=1

where the last ⊥ is for the Euclidean inner product and the inversion of  and  is intended. We discuss the consequences of the fact that C is LCD or, equivalently that C ∩ C ⊥ = {0}, for the three types of codes in that sum. (i) Since C1 has generator matrix [1, ζ] with arbitrary ζ ∈ Z4 , there are 2 LCD codes C1 for ζ = 0, 2. (ii) The number of LCD codes Ci is obtained by the same complementation argument s  as in Subsection 3.1 and is (ui 4 − u3i − u2i ) with ui = 2di . i=2

[x] [x] (iii) Let Cj = [1, a] and Cj = [1, b] with a ∈ (hZj4(x)) , b ∈ (hZ∗4(x)) . The condition for C j to be LCD is, similarly to that of [9] for finite fields, given by



Cj ∩ Cj ⊥ = {0}, Cj ⊥ ∩ Cj = {0},

which is equivalent to 1 + ab ∈ / 2R by Lemma 2. We then obtain (iii-1) If a is a unit, then b must satisfy b ∈ / −1 a + 2R, which implies the choice for 2  2 pair (a, b) is (uj − uj ) . (iii-2) If a is not a unit, i.e. a = 2a1 with a1 ∈ Tej , then b is arbitrary. For detail, b = b1 + 2b2 with b1 , b2 ∈ Tej , we have 1 + ab = 1 + 2b1 a1 ∈ / 2R. We then obtain that the number of choices for (a, b) is uj · uj 2 = uj 3 . Thus, the total number of choices for (Cj , Cj ) is

t   j=1

t   (uj 2 − uj )2 + uj 3 = (uj 4 − j=1

uj 3 + uj 2 ). Therefore, the total number of LCD double circulant codes is equal to

2

s t  4  ui − u3i − u2i (uj 4 − uj 3 + uj 2 ), i=2

where ui = 2di , uj = 2ej .

j=1

2

5. Distance bounds The notation in this section is the same as previous.

142

M. Shi et al. / Finite Fields and Their Applications 58 (2019) 133–144

Theorem 4. If e, f ∈ Zn4 , and (0, 0) = (e, f ), and (e, f ) has Hamming weight < n, then the vector (e, f ) is in at most λ double circulant LCD codes of length 2n with λ = 2n . Proof. Write (e, f )  (e1 , f1 ) ⊕ (e2 , f2 ) for the CRT decomposition of (e, f ). We can bound the number of codes C1 such that (e1 , f1 ) ∈ C1 by 2. Consider C2 = [1, α] , α = β + 2γ, α ∈ GR(4, n − 1). Let (e2 , f2 ) ∈ C2 . We then obtain f2 = αe2 . (i) If e2 is a unit, then α = fe22 , α is unique, i.e. C2 is unique. (ii) If e2 is not a unit, writing e2 = 2e2 with e2 ∈ T ∗ , by the equation f2 = αe2 , we obtain f2 = 2f2 , where f2 ∈ T . We then have the following two cases: f (ii-1) If β = 0, we have 2f2 = 2e2 β, which implies β = e2 . It should be noted that 2 γ is arbitrary. (ii-2) If β = 0, we have 2f2 = (2γ)(2e2 ) = 0, again, γ is arbitrary in T . n −1 (iii) If e2 = f2 = 0, then e, f ∈ ( xx−1 ), noting that (0, 0) = (e, f ), which implies wH (e, f ) ≥ n, contradiction! Thus, since γ ∈ T , we have λ ≤ 2|T | = 2n . This completes the proof. 2 We can now prove that there are arbitrary long double circulant LCD Z4-codes with a binary image above the Gilbert-Varshamov bound. We will use the notation an ∼ bn to mean that the sequences an and bn are asymptotically equivalent for n → ∞. This means that, given > 0, we have for all n large enough bn (1 − ) ≤ an ≤ bn (1 + ). Theorem 5. Assume the Artin conjecture holds. There is an infinite family of double circulant LCD Z4 -codes with rate 12 and relative Lee distance δ ≥ H −1 (1/4). Proof. Note that, by the theory of cyclotomic cosets, there are infinitely many n’s such n −1 that xx−1 is irreducible over F2 iff there are infinitely many prime n’s such that 2 is primitive modulo n. This latter condition is known as Artin primitive root conjecture for the root 2 and has been proved by Hooley under GRH [11]. We prove the said lower bound by the classical technique of “expurgated random coding”, which derives the existence of codes with distance at least a given bound in a family of codes by showing that the codes with distance below that bound are less in number than the size of the family. It should be noted that the number of the family of codes is asymptotically equivalent to 2u4 since the choices for the constituent codes C1 and C2 are 2 and ∼ u4 , respectively. Denote by dn the largest integer satisfying

2

n

d n −1 i=0



4n i

< 2u4 = 22n−1 .

M. Shi et al. / Finite Fields and Their Applications 58 (2019) 133–144

143

By Theorem 4, this inequality implies that the size of the family is strictly larger than the number of codes of minimum Lee distance ≤ dn − 1. Hence, by complementation, in the family we consider, there are codes of length 2n that have a minimum distance ≥ dn . Letting dn ∼ 4nδ0 , by the entropic estimates of [12, Lemma 2.10.3] (with q = 2), we see that the defining inequality for dn will be satisfied for large n if, up to subexponential terms we have 2n 24nH(δ0 ) ∼ 22n−1 , or, equivalently H(δ0 ) = 14 . We see that the family of codes of length n thus constructed with minimum distance ≥ dn has relative distance δ ≥ δ0 . The result follows. 2 Remark. It is clear that the size of C is equal to 4n , which is equal to 22n . We then 1 obtain the rate of φ(C) as 2n 4n , which is equal to 2 . Thus the lower bound on the relative distance of the Gray image is weaker than that given by the Gilbert-Varshamov bound for binary linear codes of rate 12 , which is equal to H −1 (1/2). 6. Numerical examples In Table 1 we have collected some examples of double circulant codes with the best parameters obtained by random search in Magma. The coefficients of the polynomial a(x), of degree < n, are written in decreasing powers of x, for example for n = 3, the entry 311 means 3x2 + x + 1. The parameters are given in the form (2n, 4n , d) where d is the minimum Lee distance, and 4n the size of the code. The hypothesis n odd is not needed in this section. The entry in the rightmost column is the best known distance of an [4n, 2n] binary linear code, obtained by looking up at the tables in www.codetables.de. When the distance of the code constructed reaches that value the parameters are starred. For its first three rows, Table 1 outperforms the table of lower bounds on the dimension of LCD codes of [8]. 7. Conclusion and open problems We have considered double circulant LCD Z4 -codes of length 2n. We have given general enumeration formulas valid for all n depending on the factorization of xn − 1. When that factorization has only two terms, we could derive an asymptotic lower bound on the relative Lee distance of that family of codes. The proofs rely on the arithmetic of Galois rings and finite fields. Extending these results from the alphabet Z4 to Z2m is a well-motivated but challenging open problem. In that more general situation, the 2-adic decomposition of the ring counts m terms, a fact which might make some calculations intractable. The numerical results, using random double circulant codes, indicate that Z4 -linear binary LCD codes outperform binary linear LCD codes. It might be worth investigating experimentally the performance of Z2m -linear binary LCD codes for m > 2.

144

M. Shi et al. / Finite Fields and Their Applications 58 (2019) 133–144

Table 1 Double circulant LCD codes over Z4 , ∗ : optimal codes. n

a(x)

Parameters over Z4

Distance of BKLC

3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

311 2100 21110 120100 2311100 32121100 112110000 1032102131 10303001022 033111000122 0211323111322 32311132233200 332333230022231 3312233331021232 10113331310233122 011021102032302200 3123221000022110301 31021100123003111211

(6, 43 , 4)∗ (8, 44 , 4) (10, 45 , 6)∗ (12, 46 , 4) (14, 47 , 7) (16, 48 , 8)∗ (18, 49 , 6) (20, 410 , 9)∗ (22, 411 , 9) (24, 412 , 8) (26, 413 , 10)∗ (28, 414 , 10) (30, 415 , 10) (32, 416 , 12)∗ (34, 417 , 12) (36, 418 , 12) (38, 419 , 13) (40, 420 , 13)

4 5 6 8 8 8 8 9 10 12 10 12 12 12 13 15 14 16

References [1] A. Alahmadi, F. Özdemir, P. Solé, On self-dual double circulant codes, Des. Codes Cryptogr. 86 (6) (2018) 1257–1265. [2] P.J. Cameron, J. Kusuma, P. Solé, Z4 -codes and their Gray map images as orthogonal arrays, Des. Codes Cryptogr. 84 (1–2) (2017) 109–114. [3] C. Carlet, S. Guilley, Complementary dual codes for counter-measures to side-channel attacks, Adv. Math. Commun. 10 (1) (2016) 131–150. [4] C. Carlet, S. Guilley, Statistical properties of side-channel and fault injection attacks using coding theory, Cryptogr. Commun. 10 (5) (2018) 909–933. [5] C. Carlet, S. Mesnager, C. Tang, Y. Qi, R. Pellikaan, Linear codes over Fq are equivalent to LCD codes for q > 3, IEEE Trans. Inf. Theory 64 (4) (2018) 3010–3017. [6] C. Carlet, S. Guilley, P. Solé, Boolean masking with nonlinear binary codes, in preparation. [7] C.L. Chen, W.W. Peterson, E.J. Weldon, Some results on quasi-cyclic codes, Inf. Control 15 (5) (1969) 407–423. [8] S.T. Dougherty, J.L. Kim, B. Özkaya, L. Sok, P. Solé, The combinatorics of LCD codes: linear programming bound and orthogonal matrices, Int. J. Inf. Coding Theory 4 (2/3) (2017) 116–128. [9] C. Güneri, B. Özkaya, P. Solé, Quasi-cyclic complementary dual codes, Finite Fields Appl. 42 (2016) 67–80. [10] A.R. Hammons Jr., P.V. Kumar, A.R. Calderbank, N.J.A. Sloane, P. Solé, The Z4 -linearity of kerdock, preparata, goethals and related codes, IEEE Trans. Inf. Theory 40 (2) (1994) 301–319. [11] C. Hooley, On Artin’s conjecture, J. Reine Angew. Math. 225 (1967) 209–220. [12] W.C. Huffman, V. Pless, Fundamentals of Error Correcting Codes, Cambridge University Press, 2003. [13] S. Ling, P. Solé, On the algebraic structure of quasi-cyclic codes I: finite fields, IEEE Trans. Inf. Theory 47 (7) (2001) 2751–2760. [14] S. Ling, P. Solé, On the algebraic structure of quasi-cyclic codes II: chain rings, Des. Codes Cryptogr. 30 (1) (2003) 113–130. [15] J.L. Massey, Linear codes with complementary duals, Discrete Math. 106–107 (1992) 337–342. [16] Z.X. Wan, Quaternary Codes, World Scientific, 1997.